WHILE语句中的MySQL语法错误(MySQL syntax error in WHILE statement)
我正在学习MySQL(v 5.6)并尝试获得一个简单的
WHILE
循环。 我甚至只是直接从手册中复制和粘贴(添加了SELECT v1;
语句)。CREATE PROCEDURE dowhile() BEGIN DECLARE v1 INT DEFAULT 5; WHILE v1 > 0 DO SELECT v1; SET v1 = v1 - 1; END WHILE; END;
Workbench给了我这个错误:
CREATE PROCEDURE dowhile()BEGIN DECLARE v1 INT DEFAULT 5错误代码:1064。您的SQL语法有错误; 检查与MySQL服务器版本对应的手册,以便在第3行0.001秒附近使用正确的语法
非常感谢来自更有经验的MySQL程序员的任何见解!
I'm working through learning MySQL (v 5.6) and trying to get a simple
WHILE
loop to go through. I even just straight copy & paste from the manual (with addedSELECT v1;
statement).CREATE PROCEDURE dowhile() BEGIN DECLARE v1 INT DEFAULT 5; WHILE v1 > 0 DO SELECT v1; SET v1 = v1 - 1; END WHILE; END;
Workbench is giving me this error:
CREATE PROCEDURE dowhile() BEGIN DECLARE v1 INT DEFAULT 5 Error Code: 1064. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3 0.001 sec
Any insight from more experienced MySQL programmers is very appreciated!
原文:https://stackoverflow.com/questions/23598218
最满意答案
所有安全都是一种权衡。
(我不是加密/安全专家。这些是我对我所阅读和研究的理解,但如果你正在做任何重要的事情,请从那些真正做过这件事的人那里获得专业建议)。
在这种情况下,您有许多选择,主要区别在于他们如何通过关键的盗窃/滥用风险来平衡正常运行时间/便利性。 我假设您使用的是GnuPG / OpenPGP库,而不是命令行工具,但如果不是“应用程序”,则可以将其视为GnuPG代理。
将密钥存储在磁盘上未加密。 应用程序可以随时使用密钥。 如果重新启动应用程序,则可以立即访问该密钥。 闯入系统或窃取(未加密)备份的攻击者可以轻松使用该密钥。 适当的备份加密至关重要。
对这种方法的一个微小改进是存储加密的密钥,并将密钥的(混淆的)密码存储在系统/ app二进制文件的其他地方; 它让攻击者的生活变得更加困难,并且意味着他们至少要花更多的时间在它上面,但在大多数情况下,他们仍然可以很容易地恢复它。 适当的备份加密至关重要。
将加密的密钥存储在磁盘上,并在应用启动时将其解密存储在内存中。 在应用启动期间提示时,人可以解密密钥; 之后,应用程序可以随时使用密钥。 从磁盘/备份中窃取密钥对攻击者来说没有什么好处,他们不得不额外努力从应用程序的内存中恢复密钥,或者在崩溃后由管理员输入时修改/包装应用程序以捕获密码短语重新开始。 密钥必须锁定在无法换出的内存中。
将加密的密钥存储在磁盘上,并仅使用特定的管理员交互对其进行解密。 没有管理员干预,应用程序无法使用密钥。 磁盘上非常安全的密钥和应用程序内存的盗窃风险受到内存中短时间的限制。 但是,已经进入系统的攻击者仍然可以修改应用程序以在解密时记录密钥,或者捕获密码短语。 密钥必须锁定在无法换出的内存中。
将密钥存储在可移动存储上。 在app启动时将其物理插入以解密密钥并将其存储在应用程序内存中,如(3),或者当应用程序实际需要使用密钥时(4)。 这使攻击者更难以窃取加密密钥并使密码盗窃变得不那么有用,但没有更难修改应用程序以窃取解密密钥。 他们也可以等到他们看到存储插入并复制加密密钥,如果他们用包装器/键盘记录器等窃取了密码。 IMO对于磁盘上加密密钥的强大密码并没有多大好处 - 它可能会让攻击者的生活变得更加困难,但对管理员而言却要困难得多。
将密钥存储在智能卡,加密加速器或USB加密设备上,该设备永远不会允许密钥暴露,只能使用它执行加密操作。 PKCS#11标准得到广泛支持并且对此非常有用。 密钥(理论上)不能在没有物理窃取硬件的情况下被窃取 - 在许多硬件上存在密钥提取攻击,但大多数需要大量时间,并且通常需要物理访问。 服务器可以随意使用密钥(如果加速器没有超时/解锁)或仅使用管理员干预(如果加速器在每次使用后被锁定并且必须由管理员解锁)。 攻击者仍然可以通过伪装成应用程序来使用加速器解密数据,但是他们必须做更多的工作,并且需要持续访问目标系统。 当然,这个花费更多。
对于此选项,灾难恢复更具挑战性; 您依靠物理硬件来解密数据。 如果数据中心烧毁,你就完成了。 因此,您需要重复和/或非常安全地存储密钥的副本。 当然,每个重复都会增加风险,特别是那些插入“以防万一”备份服务器的人我们并没有真正使用它们并且不会使安全补丁保持最新......
如果您使用内置密钥而不是可以存储但未读取密钥的硬件,那么您将面临额外的挑战,即有一天硬件将被淘汰。 曾经试图获得需要在现代服务器上运行ISA卡的关键业务软件吗? 它很有趣 - 有一天,PCI / X和USB也会像这样。 当然,到那时你正在使用的加密系统可能会被破坏,所以你需要解密所有数据并将其迁移到另一个设置。 不过,我会使用硬件,我可以生成密钥,将其编程到硬件中,并将原始密钥以几种不同的形式存储在银行保险箱中。
现在你已经读过了,请记住:我只是一个感兴趣的甚至是业余爱好者。 去问专业人士。 当他们告诉你我有多么不对劲时,请来这里解释一下:-)
无论你做什么,都不要发明自己的加密系统。
All security is a trade-off.
(I'm not a crypto/security expert. These are my understandings from what I've read and studied, but if you're doing anything important, get professional advice from someone who's done this a lot for real).
In this case you have a number of choices that differ mainly on how they trade off uptime/convenience with key theft/abuse risk. I'm assuming you're using a GnuPG/OpenPGP library, rather than the command-line tools, but if not "the app" can be considered the GnuPG agent.
Store the key un-encrypted on disk. The app can use the key whenever it wants. If the app is restarted, it has immediate access to the key. An attacker that breaks into the system or steals an (unencrypted) backup can use the key easily. Proper backup encryption is vital.
A marginal improvement over this approach is to store the key encrypted and store the (obfuscated) passphrase for the key elsewhere in the system / in the app binary; it makes life a bit harder for the attacker and means they at least have to spend more time on it, but in most cases they'll still be able to recover it pretty easily. Proper backup encryption is vital.
Store the key encrypted on disk and store it decrypted in memory on app startup. A human can decrypt the key when prompted during app startup; after that, the app can use the key whenever it wants. Theft of the key from disk / backups does the attacker little good, they have to go to the extra effort of recovering the key from the application's memory, or modifying/wrapping the application to capture the passphrase when entered by the administrator after a crash/restart. Key must be locked in memory that cannot be swapped out.
Store the key encrypted on disk and decrypt it only with specific administrator interaction. The app cannot use the key without an admin intervening. The key pretty safe on disk and the theft risk from app memory is limited by the short periods it's in memory. However, an attacker that has broken into the system can still modify the app to record the key when it'd decrypted, or capture the passphrase. Key must be locked in memory that cannot be swapped out.
Store the key on removable storage. Physically insert it on app startup to decrypt the key and store it in app memory like (3), or when the app actually needs to use the key like (4). This makes it a bit harder for the attacker to steal the encrypted key and makes password theft less useful, but no harder to modify the app to steal the decrypted key. They can also just wait until they see the storage inserted and copy the encrypted key if they've stolen the passphrase with a wrapper/keylogger/etc. IMO it's not much benefit over a strong passphrase for the encrypted key on disk - it might make life a little harder on the attacker, but it's a lot harder on the admin.
Store the key on a smartcard, crypto accelerator, or USB crypto device that's designed never to permit the key to be exposed, only to perform crypto operations using it. The PKCS#11 standard is widely supported and useful for this. The key (theoretically) cannot be stolen without physically stealing the hardware - there are key extraction attacks on lots of hardware, but most require lots of time, and often require physical access. The server can use the key at will (if the accelerator has no timeout/unlock) or only with admin intervention (if the accelerator is locked after each use and must be unlocked by the admin). The attacker can still decrypt data using the accelerator by masquerading as the app, but they've got to do a lot more work, and will need to have ongoing access to the target system. Of course, this one costs more.
Disaster recovery is more challenging for this option; you depend on physical hardware for decrypting your data. If the data center burns down, you're done for. So you need duplicates and/or a very securely stored copy of the key its self. Every duplicate adds risk, of course, especially the one plugged into that "just in case" backup server we don't really use and don't keep the security patches up to date on...
If you go for hardware with a key built-in rather than one where you can store but not read the key, you have the added challenge that one day that hardware will be obsolete. Ever tried to get business critical software that requires an ISA card running on a modern server? It's fun - and one day, PCI/X and USB will be like that too. Of course, by then the crypto system you're using might be broken anyway, so you'll need to decrypt all your data and migrate it to another setup anyway. Still, I'd be using hardware where I can generate a key, program it into the hardware, and store the original key in a couple of different forms in a bank safe deposit box.
Now that you've read that, remember: I'm just an interested not-even-hobbyist. Go ask a professional. When they tell you how totally wrong I am, come here and explain :-)
Whatever you do, DO NOT invent your own crypto system.
相关问答
更多-
GPG使用powershell脚本中的多个公钥加密文件(GPG Encrypt file with multiple public keys in a powershell script)[2023-12-22]
您一次只能使用一个密钥进行加密。 使用一个密钥加密后,可以使用第二个密钥重新加密密文。 但是,这没有任何语义上的合法目的。 公钥用于以规定的方式提供保密和机密性。 我使用我的私钥签名,并使用您的公钥为您加密。 您使用私钥恢复它并使用我的公钥进行验证。 任何上层使用此公钥或该私钥最多都是有问题的。 Got this bit to work finally. Thanks to @user2864740 $BeforeEncryptfilePathGPG = "C:\Reports\Test_Encryptio ... -
如何导出私钥/秘密ASC密钥来解密Windows中的GPG文件(How to Export Private / Secret ASC Key to Decrypt GPG Files in Windows)[2024-03-30]
您可以使用GPG的命令行工具导出私钥。 它适用于Windows shell。 使用以下命令: gpg --export-secret-keys 使用--export的正常导出将不包括任何私钥,因此您必须使用--export-secret-keys 。 编辑: 要总结我的评论中给出的信息,这是一个命令,允许您将具有ID 1234ABCD的特定密钥导出到文件secret.asc: gpg --export-secret-keys -a 1234ABCD > secret.asc 您可以使用以下命令找到所需的 ... -
gpg:ify:跳过:我自己进行加密时找不到公钥(gpg: ify: skipped: public key not found when I made the encryption myself)[2022-06-06]
教程说,找出答案 -verify message.asc 它应该在哪里 --verify message.asc Figured out the answer, the tutorial says -verify message.asc where it should be --verify message.asc -
gpg2导入gpg1密钥失败(gpg 2.1.15,Ubuntu 17.10)(gpg2 import of gpg1 secret key fails (gpg 2.1.15, Ubuntu 17.10))[2022-05-24]
GnuPG 1.4 plus 2.0和2.1及以上版本之间的差异在此深入解释 。 该页面的第一部分处理秘密密钥处理方式的变化。 当您从1.4或2.0的现有实例迁移到GPG的现代分支时,您的secring.gpg文件将导入到新格式中,并且不能直接作为密钥环文件使用。 这将在您第一次调用GPG 2.1或2.2时自动完成。 同时,您的公钥匙( pubring.gpg )将转换为较新的密钥箱格式( pubring.kbx )。 这个转换过程只执行一次,GnuPG通过将一个隐藏文件写入$ GNUPGHOMEDIR来跟 ... -
所有安全都是一种权衡。 (我不是加密/安全专家。这些是我对我所阅读和研究的理解,但如果你正在做任何重要的事情,请从那些真正做过这件事的人那里获得专业建议)。 在这种情况下,您有许多选择,主要区别在于他们如何通过关键的盗窃/滥用风险来平衡正常运行时间/便利性。 我假设您使用的是GnuPG / OpenPGP库,而不是命令行工具,但如果不是“应用程序”,则可以将其视为GnuPG代理。 将密钥存储在磁盘上未加密。 应用程序可以随时使用密钥。 如果重新启动应用程序,则可以立即访问该密钥。 闯入系统或窃取(未加密)备 ...
-
我不明白为什么你对你已经提出的解决方案不满意,但如果由于某种原因你真的想避免弄乱你的个人钥匙圈,我可以提供其他的东西: gtmp=$(mktemp -d) gpg --homedir $gtmp --import key gpg --homedir $gtmp --export key > pub.gpg rm -rf $gtmp 或者作为方便的BASH功能: # Requires keyfile as 1st argument; optional 2nd argument is output file ...
-
我找出了gpg命令行的问题。 第二个命令行运行得很好。 echo Mypasspharse | gpg.exe --passphrase-fd 0 -o“C:\ successtest.txt”--decrypt“C:\ testfile.txt.gpg” 问题是: Mypassphare contained a character ">" which interpreted as std out redirect in windows command prompt. So, passphase wasn ...
-
有一个无法操作的功能; 根据在线文档 ,此功能仍处于试验阶段,即在更新期间界面可能会中断。 此接口允许您将一系列命令传递给gpg的stdin,必须使用参数--gen-key和--batch 。 可在此网页上找到可能的命令说明。 There is a feature for unattendet operation; according to the online documentation, this feature is still experimental, i.e. the interface mig ...
-
正确。 显然,你不希望像“apache”这样的凡人用户能够以root身份签名! 因此,您需要为apache用户配置GPG。 这通常很痛苦,因为apache用户通常无法获得shell。 我尝试设置/home/
目录,如果它不存在(可能没有)。 然后尝试为apache用户设置GPG。 您可以通过将--homedir=/home/ 传递给gpg二进制文件来使其以root --homedir=/home/ 。 Correct. Obvious ... -
你错过了文档中的第一步...... http://cfengine.com/cfengine-linux-distros 要使用这些存储库安装CFEngine,请执行以下步骤:对于基于Debian的系统(apt): Download and install the CFEngine GPG key: # wget http://cfengine.com/pub/gpg.key # apt-key add gpg.key # rm gpg.key 实际上我可以为你“修复问题”:) CFengine密钥现 ...